A corporation or other entity often provides services to its officers, employees, partners and customers that are not available to the general public. Many of these services are accessed through a network internal to the entity. The network is made up of several computing devices serving as terminals communicating through zero or more computing devices serving as network devices responsible for passing information among the terminals. For example, financial reports are available by running a network financial application on one computing device that employs data stored in a network database on another computing device. Often, a separate database server process, with which the financial application interacts, provides the network database services.
To achieve access to the services available on the network, users log onto the network at terminals connected to the network and identify themselves. For example, an individual user provides a user identification and password. If the user identification and password match information stored on the network, the user is granted access to the network. A network authentication, authorization and accounting server (AAA Server) executing on a different computing device often performs the dialog with the user or the comparison of identification information with stored information or both.
The user may have different privileges for different applications providing different services on the network. For example, an employee in the human resources department might have authorized access to a human resources database on the network through a human resources application, but no authorized access to the financial application at all. Such access authorization is typically based on authentication of the user's identification.
Restricting access to users who know valid values for a user identification and associated password provides security for the services and data on the network. Restricting physical access to the terminals on the internal network, such as keeping terminals in facilities that require a badge or key to enter, also provides security.
To provide secure access to services on the internal network to users who have moved outside the secure facilities presents special problems. The problems arise because of the use of public networks and the portability of the mobile devices serving as terminals.
The mobile device often communicates with the internal network over public circuit-switched networks, such as employed by the telephone companies, or over the public packet-switched networks, such as the Internet.
In addition, wireless telephones and hand held devices have become popular mobile devices to serve as terminals for obtaining network services. Especially attractive are wireless telephones with data transport capabilities, such as wireless telephones employing the Wireless Application Protocol (WAP). When these devices are remotely connected to an enterprise network, users can conveniently access many network services and extensive content. However, the easy portability of such devices increases the chances that the device can fall outside the control of the authorized user through loss or theft.
The combination of public network paths and non-secure mobile devices makes secure access for services on the internal network a problem. Passwords and user identification strings passed over the Internet can be discovered easily unless they are encrypted. Standard encryption technologies build authentication software and data into the terminal. Such encryption is not secure if the terminal falls into the hands of an unauthorized person. Because the physical security of the mobile device serving as a terminal cannot be presumed, it is essential to authenticate the user, not just the mobile device.
A common approach to user authentication that is separate from device authentication involves the use of one-time passwords. Only the authorized user can generate the password. It is little use to detect the password as it passes over public networks because the password cannot be used again in another session. The authorized user obtains the one-time password from a second appliance, separate from the mobile device serving as the terminal to the internal network. The user enters a private key or code into the second appliance; in response, the second appliance generates a unique one-time password based on the private key, and displays it. For example, a token appliance given to the authorized user produces a one-time password on demand. An example of such a one-time password generator is the SafeWord password generator from Secure Computing Corporation, Roseville, Minn.
While suitable for many purposes, this approach suffers from several disadvantages. For example, in practice, entering the one-time password is very cumbersome on voice-based mobile devices, such as wireless telephones, commonly carried by authorized users beyond secure facilities. Even many wireless data telephones do not have a full keypad, and share several characters or functions on each key. In addition, the one-time password often is valid only during a short time interval, and consists of a meaningless string of alphanumeric characters. The user is required to enter the private key into the code generator using its keypad, view the resulting one-time password, and quickly enter the one-time password into the mobile device before expiration of the short time interval, when the one-time password disappears from the display of the code generator. This places extra pressure on a user of this system, and increases the likelihood of error in entering random characters having no meaning to the user, and thus increases the likelihood of failing to obtain access.
Other proposed approaches to identifying the user separately from the device focus on measuring an aspect of the human user, called a biometric, such as a fingerprint or retinal image. Such approaches call for building a biometric sensor into the mobile device and integrating logic associated with the sensor into the logic associated with the communications aspect of the wireless device.
Such approaches suffer from several disadvantages. For example, there are few standards for biometric sensors, so the logic to integrate biometric sensor output with the communication protocols depends on the sensor installed, and is thus cumbersome and expensive to produce. In addition, the sensor data processing is likely to be computationally intensive, exceeding the resources typically available on the most portable devices such as wireless telephones. Furthermore, hundreds of thousands of wireless telephones will be deployed in the next few years without such biometric sensors, and none of these deployed telephones would be able to employ such approaches.
Based on the foregoing, there is a clear need for a user authentication process separate from device authentication that makes use of existing capabilities of mobile devices such as wireless telephones.
In particular, there is a need for an authentication process that makes use of the voice capture and transmission properties of wireless telephones.